Jump to content
Sign in to follow this  
tonyc1075

Infected With "seneka.sys" Trojan

Recommended Posts

Hello,

 

As a quick background, I started using Avast, Spybot S&D, Ad-Aware, MBAM, and ATF-Cleaner all about 6 months ago. Since then, I have ran scans frequently and have never had a problem. My computer has been running great.

 

Today, seemingly out of nowhere (I was not doing anything special or on any sites that I don't frequently visit), Avast started going crazy and gave me 4 prompts about infections to my computer. Below is an Avast log (I took out error messages and things about files infected in system restore):

 

--------------------

 

10/7/2007 9:11:47 PM SYSTEM 868 Sign of "JS:Agent-Q [Trj]" has been found in "http://80.93.59.108/wssezsewswsxwreo/" file.

 

2/18/2008 9:22:31 AM SYSTEM 624 Sign of "Win32:Gida [Trj]" has been found in "http://thetechnorati.com/swf/gnida.swf?campaign=whoduniton&u=1198689218" file.

 

4/23/2008 1:13:33 PM SYSTEM 564 Sign of "VBS:Malware-gen" has been found in "http://movie-galleries.ztgals.com/97/gallery.html" file.

 

5/24/2008 4:21:25 PM SYSTEM 576 Sign of "Win32:Banker-EPP [Trj]" has been found in "C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\Ad-Aware QF 20080524 162124.aawqff" file.

 

5/24/2008 5:03:14 PM Anthony J. Ciolino 9892 Sign of "Win32:Horst-AAF [Trj]" has been found in "C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\Ad-Aware QF 20080218 181307.aawqff" file.

 

5/24/2008 5:03:32 PM Anthony J. Ciolino 9892 Sign of "Win32:Banker-EPP [Trj]" has been found in "C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\Ad-Aware QF 20080405 182355.aawqff" file.

 

6/3/2008 6:27:45 PM SYSTEM 784 Sign of "Win32:Banker-EPP [Trj]" has been found in "C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\Ad-Aware QF 20080603 182737.aawqff" file.

 

7/30/2008 11:09:03 AM SYSTEM 504 Sign of "HTML:Agent-L [Expl]" has been found in "http://www.killmyday.com/slipme.asp?1217430543078&id=wwwwxp&pop=enter&t=1&subid=259&blk=1&fc=-1" file.

 

7/30/2008 11:09:12 AM SYSTEM 504 Sign of "HTML:Agent-L [Expl]" has been found in "C:\Documents and Settings\Anthony J. Ciolino\Local Settings\Application Data\Mozilla\Firefox\Profiles\mfble1f3.default\Cache\4143BEB4d01" file.

 

1/11/2009 11:54:03 AM SYSTEM 1524 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\ANTHON~1.CIO\LOCALS~1\Temp\prun.tmp" file.

 

1/11/2009 11:54:23 AM SYSTEM 1524 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\ANTHON~1.CIO\LOCALS~1\Temp\rasesnet.tmp" file.

 

1/11/2009 11:54:32 AM SYSTEM 1524 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\ANTHON~1.CIO\LOCALS~1\Temp\winvsnet.tmp" file.

 

1/11/2009 11:55:09 AM SYSTEM 1524 Sign of "Win32:Fasec [Trj]" has been found in "C:\WINDOWS\system32\drivers\seneka.sys" file.

 

--------------------

 

This computer used to have many people using it. I took it over 6 months ago, so I'm not sure what some of the earlier problems were.

 

I ran ATF-Cleaner and deleted everything I could.

I ran Avast and it came back finding 0 infections.

I ran Spybot S&D and it came back finding 0 infections.

I ran Ad-Aware and it came back finding 0 infections.

I ran MBAM and it found the following (the reason it took so long is because all scanners were running at the same time):

 

--------------------

 

Malwarebytes' Anti-Malware 1.32

Database version: 1643

Windows 5.1.2600 Service Pack 3

 

1/11/2009 2:56:52 PM

mbam-log-2009-01-11 (14-56-52).txt

 

Scan type: Full Scan (C:\|)

Objects scanned: 146752

Time elapsed: 2 hour(s), 51 minute(s), 36 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Documents and Settings\Anthony J. Ciolino\Local Settings\Temp\seneka5158.tmp (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\Anthony J. Ciolino\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

 

--------------------

 

I restarted the computer when MBAM prompted me to. The computer restarted to Windows but ended up freezing. I had to hold down the power button to shut the computer down. I then rebooted, and it worked as normal. I ran MBAM again and 0 infections were found (this scan only took 35 minutes as it was the only thing running).

 

I then turned off system restore to delete any problems in there. I then turned back on system restore to create a new restore point. I then restarted the computer just to clear everything to a fresh restart. I then ran Kaspersky's free scan and it found no problems. I then ran Hijack This, and below is the report:

 

--------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:50:42 PM, on 1/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Apoint\Apoint.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [intelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

--

End of file - 7052 bytes

 

--------------------

 

My computer seems to be running fine at this time. Hijack This appears to be OK, and MBAM does not find any problems any longer. Does it appear that this most recent infection with "seneka.sys" is gone? Is there something more I should do (I'm not sure what things like combofix and sdfix do.....do I need those?)? Also, does it appear all of the problems that were with this computer long ago (i.e. the problems from the Avast log file BEFORE 01/11/09) are gone?

 

It feels/seems like everything is OK, but I would like a more professional opinion.

 

Thanks in advance!

Edited by tonyc1075

Share this post


Link to post
Share on other sites

Also, just as a side note, I have a few other posts on this board. That was from fixing my wife's computer. This board was very helpful in fixing that, which is why I have returned again for my own computer :)

 

I just want to clear that up in case there is some confusion.

Share this post


Link to post
Share on other sites

Hi tonyc1075,

 

Lets get a rootkit scan just to make sure it's gone, since I don't see the actual driver removed in any of the logs. Download GMER Rootkit Scanner from here.

  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in ark.txt
Save it where you can easily find it, such as your desktop then post the contents here.

 

**Caution**

Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries

Share this post


Link to post
Share on other sites

[*]Show All (don't miss this one)

 

Thanks for getting back to me quickly.

 

I did everything you asked, although the "show all" option was unchecked to begin with. I simply left it that way. Here is the log:

 

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-11 23:44:28

Windows 5.1.2600 Service Pack 3

 

 

---- System - GMER 1.0.14 ----

 

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEDF8D576]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEDF8D432]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEDF8D910]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEDF8D00A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEDF8D50C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEDF8CF4A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEDF8CFAE]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEDF8D62C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEDF8D5EC]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEDF8D76C]

 

---- Devices - GMER 1.0.14 ----

 

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

 

Device \FileSystem\Fastfat \Fat BAEDDD20

 

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

 

---- EOF - GMER 1.0.14 ----

 

Just as an FYI, the scanner only ran for about 5 minutes. I'm assuming that's normal, but I've never used the program before so I don't know.

 

Thanks in advance.

Edited by tonyc1075

Share this post


Link to post
Share on other sites

Thanks for your input. Can you please help me with one more thing? This always comes up in my Hijack This log. I have removed it 10 times, but it always just comes back. The computer came with some Roxio programs on it, but they have all been removed via add/remove programs.

 

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

 

The file path still exists: C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM; however, the .exe is no longer there. I would just delete the whole Roxio folder except there are two drivers in it: msvcp71.dll and msvrc71.dll. I'm assuming I don't need those, but I'm afraid to just delete them.

 

Do you know how to get rid of this line from Hijack This? It's annoying, and I don't want something running in the background that doesn't have to be.

 

Thanks and best wishes.

Share this post


Link to post
Share on other sites

Copy the bolded line below.

 

sc stop RoxLiveShare9

 

Click Start>Run then paste the command in the Run dialog and hit Enter.

Now, do the same with this next command.

 

sc delete RoxLiveShare9

 

That should remove the service, and you can delete that entire Roxio Shared folder.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×